Most Banks Lack Key Data Privacy, Security Controls

A Ponemon Institute study finds that while most financial services firms take some steps toward data security, many come up short in critical areas.

Most financial institutions have large gaps in their privacy and data protection programs, concludes a study of financial services companies' privacy and data security released by the Ponemon Institute yesterday. The biggest gaps are in the areas of insider threats, the outsourcing of sensitive data to third parties and the protection of customer data.

According to the study, Privacy & Data Protection Practices: a Benchmark Study of the Financial Services Industry (which was sponsored by Compuware), the six areas of greatest vulnerability to privacy and data protection threats in financial organizations are: risk of a data breach, diminishment of customer loyalty and trust, malicious or negligent insiders, the risk of outsourcing sensitive and confidential data to third parties, and compliance with regulations (especially the Red Flags Rule).

Asked about data breaches, survey respondents say senior management is out-of-touch with security issues such as the growing threat of cyber criminals and increasing incidents of data theft, and that this hinders their ability to secure adequate funding and support for data breach prevention efforts. The top security practices the study found that banks do use are physical security safeguards that prevent access to storage devices containing consumer or customer information, technologies or other means to identify or prevent unauthorized or illegal movement or transfer of data or documents, and steps to secure Social Security numbers.

Although the majority of organizations (76%) have a data protection plan, less than half (47%) review new software applications and databases for privacy considerations and compliance to law before placed in operation. Most firms use Social Security numbers for customer identification (only 12% do not), but 88% of organizations say they take steps to secure the use of Social Security numbers through data handling policies or redacting the Social Security numbers from view.

One big no-no the survey uncovered was that more than 83% of financial services companies use real (live) customer or employee information in development and testing, and 51% of these companies admit they do not take appropriate steps to protect real data used in development and testing such as anonymization of data, masking, subsetting or other methods.

To prevent data loss and theft, 87% of companies in the study use a mechanism to detect unauthorized or illegal movement or transfer of data or documents; 92% use SSL on all web forms containing sensitive personal information; and 85% authenticate all visitors to websites that contain sensitive or confidential information.

The Ponemon Institute has identified some security practices that financial services don't use as much as they should:

-Compliance procedures to ensure that user access rights are accurate, complete and appropriately specified to fulfill a given set of business functions — in use by 56 percent of organizations.

-Data loss prevention solutions to curtail the leakage of consumer or customer information — used by 41 percent of organizations.

-Intrusion detection systems — in use by 47 percent of organizations.

-Protection of real data used in development and testing — in use by 49% of organizations.

The Institute also identified some privacy and data protection practices critical to building trust and loyalty with consumers and found that — surprise — they're also little used in financial services firms surveyed, for example:

-32% offer a helpline for customers to ask questions or report a problem with privacy

Most organizations surveyed (84%) monitor insider threats such as malicious employees and 85% use surveillance methods to monitor the Internet and email of employees. Fifty-eight percent of companies inform employees about the use of surveillance.

About half of the firms studied (51%) use security safeguards such as whole disk encryption to prevent consumer or customer data on laptop computers or other portable devices from being lost or stolen. Only 31% report they sufficiently secure the company's network or enterprise system.

Despite the risk of a data breach when outsourcing confidential and sensitive data to third parties, only 49% of organizations in the study perform reviews or vet business partners before sending data about customers, consumers, employees and others. Further, only 49% have standard contracts with business partners containing language that ensures privacy protections over their data.

Many more data points from the research as well as suggestions for beefing up data security can be found in the report, which can be downloaded free with registration.